Article 14109 at 08/09/30 00:58:25 From: webmaster (at mark) muntada.com Subject: [coba-e:14109] Re: Dovecot Attack

Index: [Article Count Order] [Thread]

Date:  Mon, 29 Sep 2008 11:58:20 -0400
From:  Abdul-Rashid Abdullah <webmaster (at mark) muntada.com>
Subject:  [coba-e:14109] Re: Dovecot Attack
To:  "coba-e (at mark) bluequartz. org" <coba-e (at mark) bluequartz.org>
Message-Id:  <C506735C.337FC%webmaster (at mark) muntada.com>
In-Reply-To:  <200809291550.m8TFoOU9010309 (at mark) huda.muntadanet.com>
X-Mail-Count: 14109

Let me also provide a little but more information.  I added the IP also to
the hosts.deny file.  That didn't change anything.

I tried to do a iptables restart but it basically hung up the system.

I have a ton of IPs in the hosts file, presumably from denyHosts.

On 9/29/08 11:50 AM, "MuntadaNet Webmaster" <webmaster (at mark) muntada.com> wrote:

> I have an offending IP who is attacking dovecot.  The log looks like this:
> 
> Sep 29 11:48:40 huda dovecot: pop3-login: Aborted login (1
> authentication attempts): user=<eddie>, method=PLAIN,
> rip=65.69.251.9, lip=216.14.86.227
> 
> The user keeps changing as it cycles through.
> 
> Now, I have run the following command:
> 
> iptables -A INPUT -s 65.69.251.9 -j DROP
> 
> However, it still keeps occurring.
> 
> I am running denyHosts and I run the dfix.sh script.
> 
> What am I doing wrong and what else do I need to do?
> 
> After awhile, no one can check their email as it destroys dovecot.
> 
> -Rashid
>